Dropkick RequestVar
This commit is contained in:
parent
30e534c702
commit
d7e2f811ed
7 changed files with 52 additions and 164 deletions
|
|
@ -1,6 +1,4 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
if (user_session_active()) {
|
||||
|
|
@ -8,29 +6,29 @@ if (user_session_active()) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (isset(RequestVar::get()->resolve_user)) {
|
||||
if (isset($_GET['resolve_user']) && is_string($_GET['resolve_user'])) {
|
||||
header('Content-Type: text/plain; charset=utf-8');
|
||||
echo user_id_from_username(RequestVar::get()->resolve_user->value('string'));
|
||||
echo user_id_from_username($_GET['resolve_user']);
|
||||
return;
|
||||
}
|
||||
|
||||
$login = RequestVar::post()->login;
|
||||
$notices = [];
|
||||
$siteIsPrivate = boolval(config_get_default(false, 'Private', 'enabled'));
|
||||
$loginPermission = $siteIsPrivate ? intval(config_get_default(0, 'Private', 'permission')) : 0;
|
||||
$ipAddress = ip_remote_address();
|
||||
$remainingAttempts = user_login_attempts_remaining($ipAddress);
|
||||
|
||||
while (!empty($login->value('array'))) {
|
||||
while (!empty($_POST['login']) && is_array($_POST['login'])) {
|
||||
if (!csrf_verify('login', $_POST['csrf'] ?? '')) {
|
||||
$notices[] = 'Was unable to verify the request, please try again!';
|
||||
break;
|
||||
}
|
||||
|
||||
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
|
||||
$loginRedirect = $login->redirect->value('string', '');
|
||||
$loginRedirect = empty($_POST['login']['redirect']) || !is_string($_POST['login']['redirect']) ? '' : $_POST['login']['redirect'];
|
||||
|
||||
if ($login->username->empty() || $login->password->empty()) {
|
||||
if (empty($_POST['login']['username']) || empty($_POST['login']['password'])
|
||||
|| !is_string($_POST['login']['username']) || !is_string($_POST['login']['password'])) {
|
||||
$notices[] = "You didn't fill in a username and/or password.";
|
||||
break;
|
||||
}
|
||||
|
|
@ -40,8 +38,7 @@ while (!empty($login->value('array'))) {
|
|||
break;
|
||||
}
|
||||
|
||||
$loginUsername = $login->username->value('string', '');
|
||||
$userData = user_find_for_login($loginUsername);
|
||||
$userData = user_find_for_login($_POST['login']['username']);
|
||||
$attemptsRemainingError = sprintf(
|
||||
"%d attempt%s remaining",
|
||||
$remainingAttempts - 1,
|
||||
|
|
@ -55,8 +52,7 @@ while (!empty($login->value('array'))) {
|
|||
break;
|
||||
}
|
||||
|
||||
$loginPassword = $login->password->value('string', '');
|
||||
if (!password_verify($loginPassword, $userData['password'])) {
|
||||
if (!password_verify($_POST['login']['password'], $userData['password'])) {
|
||||
user_login_attempt_record(false, $userData['user_id'], $ipAddress, $userAgent);
|
||||
$notices[] = $loginFailedError;
|
||||
break;
|
||||
|
|
@ -101,9 +97,11 @@ while (!empty($login->value('array'))) {
|
|||
return;
|
||||
}
|
||||
|
||||
$welcomeMode = RequestVar::get()->welcome->value('bool', false);
|
||||
$loginUsername = $login->username->value('string') ?? RequestVar::get()->username->value('string', '');
|
||||
$loginRedirect = $welcomeMode ? url('index') : RequestVar::get()->redirect->value('string') ?? $_SERVER['HTTP_REFERER'] ?? url('index');
|
||||
$welcomeMode = !empty($_GET['welcome']);
|
||||
$loginUsername = !empty($_POST['login']['username']) && is_string($_POST['login']['username']) ? $_POST['login']['username'] : (
|
||||
!empty($_GET['username']) && is_string($_GET['username']) ? $_GET['username'] : ''
|
||||
);
|
||||
$loginRedirect = $welcomeMode ? url('index') : (!empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : null) ?? $_SERVER['HTTP_REFERER'] ?? url('index');
|
||||
$sitePrivateMessage = $siteIsPrivate ? config_get_default('', 'Private', 'message') : '';
|
||||
$canResetPassword = $siteIsPrivate ? boolval(config_get_default(false, 'Private', 'password_reset')) : true;
|
||||
$canRegisterAccount = !$siteIsPrivate;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
if (!user_session_active()) {
|
||||
|
|
@ -8,7 +6,7 @@ if (!user_session_active()) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (csrf_verify('logout', RequestVar::get()->token->value('string', ''))) {
|
||||
if (!empty($_GET['token']) && is_string($_GET['token']) && csrf_verify('logout', $_GET['token'])) {
|
||||
setcookie('msz_auth', '', -9001, '/', '', true, true);
|
||||
user_session_stop(true);
|
||||
header(sprintf('Location: %s', url('index')));
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
if (user_session_active()) {
|
||||
|
|
@ -8,9 +6,11 @@ if (user_session_active()) {
|
|||
return;
|
||||
}
|
||||
|
||||
$reset = RequestVar::post()->reset;
|
||||
$forgot = RequestVar::post()->forgot;
|
||||
$userId = $reset->user->value('int') ?? RequestVar::get()->user->value('int', 0);
|
||||
$reset = !empty($_POST['reset']) && is_array($_POST['reset']) ? $_POST['reset'] : [];
|
||||
$forgot = !empty($_POST['forgot']) && is_array($_POST['forgot']) ? $_POST['forgot'] : [];
|
||||
$userId = !empty($reset['user']) ? (int)$reset['user'] : (
|
||||
!empty($_GET['user']) ? (int)$_GET['user'] : 0
|
||||
);
|
||||
$username = $userId > 0 ? user_username_from_id($userId) : '';
|
||||
|
||||
if ($userId > 0 && empty($username)) {
|
||||
|
|
@ -25,21 +25,22 @@ $ipAddress = ip_remote_address();
|
|||
$remainingAttempts = user_login_attempts_remaining($ipAddress);
|
||||
|
||||
while ($canResetPassword) {
|
||||
if (!empty($reset->value('array', null)) && $userId > 0) {
|
||||
if (!empty($reset) && $userId > 0) {
|
||||
if (!csrf_verify('passreset', $_POST['csrf'] ?? '')) {
|
||||
$notices[] = 'Was unable to verify the request, please try again!';
|
||||
break;
|
||||
}
|
||||
|
||||
$verificationCode = $reset->verification->value('string', '');
|
||||
$verificationCode = !empty($reset['verification']) && is_string($reset['verification']) ? $reset['verification'] : '';
|
||||
|
||||
if (!user_recovery_token_validate($userId, $verificationCode)) {
|
||||
$notices[] = 'Invalid verification code!';
|
||||
break;
|
||||
}
|
||||
|
||||
$passwordNew = $reset->password->new->value('string', '');
|
||||
$passwordConfirm = $reset->password->confirm->value('string', '');
|
||||
$password = !empty($reset['password']) && is_array($reset['password']) ? $reset['password'] : [];
|
||||
$passwordNew = !empty($password['new']) && is_string($password['new']) ? $password['new'] : '';
|
||||
$passwordConfirm = !empty($password['confirm']) && is_string($password['confirm']) ? $password['confirm'] : '';
|
||||
|
||||
if (empty($passwordNew) || empty($passwordConfirm)
|
||||
|| $passwordNew !== $passwordConfirm) {
|
||||
|
|
@ -67,13 +68,13 @@ while ($canResetPassword) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (!empty($forgot->value('array', null))) {
|
||||
if (!empty($forgot)) {
|
||||
if (!csrf_verify('passforgot', $_POST['csrf'] ?? '')) {
|
||||
$notices[] = 'Was unable to verify the request, please try again!';
|
||||
break;
|
||||
}
|
||||
|
||||
if ($forgot->email->empty()) {
|
||||
if (empty($forgot['email']) || !is_string($forgot['email'])) {
|
||||
$notices[] = "You didn't supply an e-mail address.";
|
||||
break;
|
||||
}
|
||||
|
|
@ -83,7 +84,7 @@ while ($canResetPassword) {
|
|||
break;
|
||||
}
|
||||
|
||||
$forgotUser = user_find_for_reset($forgot->email->value('string'));
|
||||
$forgotUser = user_find_for_reset($forgot['email']);
|
||||
|
||||
if (empty($forgotUser)) {
|
||||
$notices[] = "This e-mail address is not registered with us.";
|
||||
|
|
@ -129,7 +130,7 @@ MSG;
|
|||
|
||||
echo tpl_render($userId > 0 ? 'auth.password_reset' : 'auth.password_forgot', [
|
||||
'password_notices' => $notices,
|
||||
'password_email' => $forgot->email->value('string', ''),
|
||||
'password_email' => !empty($forget['email']) && is_string($forget['email']) ? $forget['email'] : '',
|
||||
'password_attempts_remaining' => $remainingAttempts,
|
||||
'password_user_id' => $userId,
|
||||
'password_username' => $username,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
if (user_session_active()) {
|
||||
|
|
@ -8,14 +6,14 @@ if (user_session_active()) {
|
|||
return;
|
||||
}
|
||||
|
||||
$register = RequestVar::post()->register;
|
||||
$register = !empty($_POST['register']) && is_array($_POST['register']) ? $_POST['register'] : [];
|
||||
$notices = [];
|
||||
$ipAddress = ip_remote_address();
|
||||
$remainingAttempts = user_login_attempts_remaining($ipAddress);
|
||||
$restricted = ip_blacklist_check(ip_remote_address()) ? 'blacklist'
|
||||
: (user_warning_check_ip(ip_remote_address()) ? 'ban' : '');
|
||||
|
||||
while (!$restricted && !empty($register->value('array'))) {
|
||||
while (!$restricted && !empty($register)) {
|
||||
if (!csrf_verify('register', $_POST['csrf'] ?? '')) {
|
||||
$notices[] = 'Was unable to verify the request, please try again!';
|
||||
break;
|
||||
|
|
@ -26,12 +24,13 @@ while (!$restricted && !empty($register->value('array'))) {
|
|||
break;
|
||||
}
|
||||
|
||||
if ($register->username->empty() || $register->password->empty() || $register->email->empty() || $register->question->empty()) {
|
||||
if (empty($register['username']) || empty($register['password']) || empty($register['email']) || empty($register['question'])
|
||||
|| !is_string($register['username']) || !is_string($register['password']) || !is_string($register['email']) || !is_string($register['question'])) {
|
||||
$notices[] = "You haven't filled in all fields.";
|
||||
break;
|
||||
}
|
||||
|
||||
$checkSpamBot = mb_strtolower($register->question->value('string', ''));
|
||||
$checkSpamBot = mb_strtolower($register['question']);
|
||||
$spamBotValid = [
|
||||
'19', '21', 'nineteen', 'nine-teen', 'nine teen', 'twentyone', 'twenty-one', 'twenty one',
|
||||
];
|
||||
|
|
@ -41,22 +40,19 @@ while (!$restricted && !empty($register->value('array'))) {
|
|||
break;
|
||||
}
|
||||
|
||||
$username = $register->username->value('string', '');
|
||||
$usernameValidation = user_validate_username($username, true);
|
||||
$usernameValidation = user_validate_username($register['username'], true);
|
||||
if ($usernameValidation !== '') {
|
||||
$notices[] = MSZ_USER_USERNAME_VALIDATION_STRINGS[$usernameValidation];
|
||||
}
|
||||
|
||||
$email = $register->email->value('string', '');
|
||||
$emailValidation = user_validate_email($email, true);
|
||||
$emailValidation = user_validate_email($register['email'], true);
|
||||
if ($emailValidation !== '') {
|
||||
$notices[] = $emailValidation === 'in-use'
|
||||
? 'This e-mail address has already been used!'
|
||||
: 'The e-mail address you entered is invalid!';
|
||||
}
|
||||
|
||||
$password = $register->password->value('string', '');
|
||||
if (user_validate_password($password) !== '') {
|
||||
if (user_validate_password($register['password']) !== '') {
|
||||
$notices[] = 'Your password is too weak!';
|
||||
}
|
||||
|
||||
|
|
@ -65,9 +61,9 @@ while (!$restricted && !empty($register->value('array'))) {
|
|||
}
|
||||
|
||||
$createUser = user_create(
|
||||
$username,
|
||||
$password,
|
||||
$email,
|
||||
$register['username'],
|
||||
$register['password'],
|
||||
$register['email'],
|
||||
$ipAddress
|
||||
);
|
||||
|
||||
|
|
@ -77,13 +73,13 @@ while (!$restricted && !empty($register->value('array'))) {
|
|||
}
|
||||
|
||||
user_role_add($createUser, MSZ_ROLE_MAIN);
|
||||
header(sprintf('Location: %s', url('auth-login-welcome', ['username' => $username])));
|
||||
header(sprintf('Location: %s', url('auth-login-welcome', ['username' => $register['username']])));
|
||||
return;
|
||||
}
|
||||
|
||||
echo tpl_render('auth.register', [
|
||||
'register_notices' => $notices,
|
||||
'register_username' => $register->username->value('string', ''),
|
||||
'register_email' => $register->email->value('string', ''),
|
||||
'register_username' => !empty($register['username']) && is_string($register['username']) ? $register['username'] : '',
|
||||
'register_email' => !empty($register['email']) && is_string($register['email']) ? $register['email'] : '',
|
||||
'register_restricted' => $restricted,
|
||||
]);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
if (user_session_active()) {
|
||||
|
|
@ -8,12 +6,14 @@ if (user_session_active()) {
|
|||
return;
|
||||
}
|
||||
|
||||
$twofactor = RequestVar::post()->twofactor;
|
||||
$twofactor = !empty($_POST['twofactor']) && is_array($_POST['twofactor']) ? $_POST['twofactor'] : [];
|
||||
$notices = [];
|
||||
$ipAddress = ip_remote_address();
|
||||
$remainingAttempts = user_login_attempts_remaining($ipAddress);
|
||||
$tokenInfo = user_auth_tfa_token_info(
|
||||
RequestVar::get()->token->value('string') ?? $twofactor->token->value('string', '')
|
||||
!empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : (
|
||||
!empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : ''
|
||||
)
|
||||
);
|
||||
|
||||
// checking user_totp_key specifically because there's a fringe chance that
|
||||
|
|
@ -23,16 +23,16 @@ if (empty($tokenInfo['user_totp_key'])) {
|
|||
return;
|
||||
}
|
||||
|
||||
while (!empty($twofactor->value('array'))) {
|
||||
while (!empty($twofactor)) {
|
||||
if (!csrf_verify('twofactor', $_POST['csrf'] ?? '')) {
|
||||
$notices[] = 'Was unable to verify the request, please try again!';
|
||||
break;
|
||||
}
|
||||
|
||||
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
|
||||
$redirect = $twofactor->redirect->value('string', '');
|
||||
$redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : '';
|
||||
|
||||
if ($twofactor->code->empty()) {
|
||||
if (empty($twofactor['code']) || !is_string($twofactor['code'])) {
|
||||
$notices[] = 'Code field was empty.';
|
||||
break;
|
||||
}
|
||||
|
|
@ -42,11 +42,10 @@ while (!empty($twofactor->value('array'))) {
|
|||
break;
|
||||
}
|
||||
|
||||
$givenCode = $twofactor->code->value('string', '');
|
||||
$currentCode = totp_generate($tokenInfo['user_totp_key']);
|
||||
$previousCode = totp_generate($tokenInfo['user_totp_key'], time() - 30);
|
||||
|
||||
if ($currentCode !== $givenCode && $previousCode !== $givenCode) {
|
||||
if ($currentCode !== $twofactor['code'] && $previousCode !== $twofactor['code']) {
|
||||
$notices[] = sprintf(
|
||||
"Invalid two factor code, %d attempt%s remaining",
|
||||
$remainingAttempts - 1,
|
||||
|
|
@ -81,7 +80,7 @@ while (!empty($twofactor->value('array'))) {
|
|||
|
||||
echo tpl_render('auth.twofactor', [
|
||||
'twofactor_notices' => $notices,
|
||||
'twofactor_redirect' => RequestVar::get()->redirect->value('string') ?? url('index'),
|
||||
'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : url('index'),
|
||||
'twofactor_attempts_remaining' => $remainingAttempts,
|
||||
'twofactor_token' => $tokenInfo['tfa_token'],
|
||||
]);
|
||||
|
|
|
|||
|
|
@ -1,9 +1,7 @@
|
|||
<?php
|
||||
use Misuzu\Request\RequestVar;
|
||||
|
||||
require_once '../../misuzu.php';
|
||||
|
||||
$forumId = RequestVar::get()->select('f')->value('int');
|
||||
$forumId = !empty($_GET['f']) && !is_array($_GET['f']) ? (int)$_GET['f'] : 0;
|
||||
$forumId = max($forumId, 0);
|
||||
|
||||
if ($forumId === 0) {
|
||||
|
|
|
|||
|
|
@ -1,102 +0,0 @@
|
|||
<?php
|
||||
namespace Misuzu\Request;
|
||||
|
||||
class RequestVar
|
||||
{
|
||||
private $value;
|
||||
private $valueCasted = null;
|
||||
private $type;
|
||||
|
||||
protected function __construct($value, ?string $type = null)
|
||||
{
|
||||
$this->value = $value;
|
||||
$this->type = $type ?? gettype($value);
|
||||
}
|
||||
|
||||
public static function get(): RequestVar
|
||||
{
|
||||
return new static($_GET ?? []);
|
||||
}
|
||||
|
||||
public static function post(): RequestVar
|
||||
{
|
||||
return new static($_POST ?? []);
|
||||
}
|
||||
|
||||
public static function request(): RequestVar
|
||||
{
|
||||
return new static($_REQUEST);
|
||||
}
|
||||
|
||||
public function __get(string $name)
|
||||
{
|
||||
return $this->select($name);
|
||||
}
|
||||
|
||||
public function __isset(string $name): bool
|
||||
{
|
||||
return $this->isset($name);
|
||||
}
|
||||
|
||||
public function isset(string $name): bool
|
||||
{
|
||||
switch ($this->type) {
|
||||
case 'array':
|
||||
return isset($this->value[$name]);
|
||||
|
||||
case 'object':
|
||||
return isset($this->value->{$name});
|
||||
|
||||
default:
|
||||
return !is_null($this->value);
|
||||
}
|
||||
}
|
||||
|
||||
public function empty(): bool
|
||||
{
|
||||
return empty($this->value);
|
||||
}
|
||||
|
||||
public function select(string $name): RequestVar
|
||||
{
|
||||
switch ($this->type) {
|
||||
case 'array':
|
||||
return new static($this->value[$name] ?? []);
|
||||
|
||||
case 'object':
|
||||
return new static($this->value->{$name} ?? new \stdClass);
|
||||
|
||||
default:
|
||||
return new static(null);
|
||||
}
|
||||
}
|
||||
|
||||
public function value(string $type = 'string', $default = null)
|
||||
{
|
||||
if (!is_null($this->valueCasted)) {
|
||||
$this->valueCasted;
|
||||
}
|
||||
|
||||
if ($this->type === 'NULL' || (($type === 'object' || $type === 'array') && $this->type !== $type)) {
|
||||
return $default;
|
||||
}
|
||||
|
||||
if ($type !== 'string' && $this->type === 'string') {
|
||||
switch ($type) {
|
||||
case 'boolean':
|
||||
case 'bool':
|
||||
return (bool)$this->value;
|
||||
case 'integer':
|
||||
case 'int':
|
||||
return (int)$this->value;
|
||||
case 'double':
|
||||
case 'float':
|
||||
return (float)$this->value;
|
||||
}
|
||||
} elseif ($type !== $this->type) {
|
||||
return $default;
|
||||
}
|
||||
|
||||
return $this->valueCasted = $this->value;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue